dockerfile.best-practice.set-pipefail.set-pipefail
semgrep
Author
unknown
Download Count*
License
Only the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with SHELL ["/bin/ash"]
.
Run Locally
Run in CI
Defintion
rules:
- id: set-pipefail
languages:
- dockerfile
message: Only the exit code from the final command in this RUN instruction will
be evaluated unless 'pipefail' is set. If you want to fail the command at
any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash",
"-o", "pipefail", "-c"] before the command. If you're using alpine and
don't have bash installed, communicate this explicitly with `SHELL
["/bin/ash"]`.
metadata:
references:
- https://github.com/hadolint/hadolint/wiki/DL4006
source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4006
category: best-practice
technology:
- dockerfile
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
patterns:
- pattern-either:
- pattern: RUN ... | ...
- pattern: RUN ... || ...
- pattern-not-inside: |
SHELL [..., "pipefail", ...]
...
RUN ... | ...
- pattern-not-inside: |
SHELL ["/bin/ash", ...]
...
RUN ... | ...
severity: WARNING
Examples
set-pipefail.dockerfile
# cf. https://github.com/hadolint/hadolint/wiki/DL4006
FROM debian:jesse
# ruleid: set-pipefail
RUN wget -O - https://some.site | wc -l > /number
# ruleid: set-pipefail
RUN apt-get update || apt-get install something || apt-get clean
# ok: set-pipefail
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number
# ok: set-pipefail
SHELL ["/bin/ash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number
Short Link: https://sg.run/gGon